CTOvision.com

Context for the CTO, CIO, CISO and Data Scientist

Home » Archives for Toby Duthie

Toby Duthie

Swords Still Crossed Over Privacy Shield

In October last year, the Court of Justice of the European Union (CJEU) invalidated the EU-US Safe Harbor agreement. Concern had been mounting for some time that the agreement failed to provide adequate protections for EU citizens’ private data located in, or transferred to, the United States. The decision means that the most commonly used data transferring method between the EU and the US – allowing for over 4000 companies to store and process data in the US – is no longer an option. Until agreement is reached on the exact nature of the new Privacy Shield, there is no global, over-arching framework in place to allow the transfer of personal data belonging to EU citizens out of the region – and that companies face the risk of potential fines and prosecutions if they do so.

The impact for companies is very significant as, until the new Privacy Shield is in place, the CJEU ruling requires for them to obtain each EU citizen’s explicit consent before moving their personal data to the US – this includes such information as their name, email or home address, employee’s HR data and health-related information or any documents containing such details.  In practical terms, this has implications across Europe for the way in which hospitals, for example, store patient data, businesses archive HR information, and subsidiaries share internal and external data with their US-based parent organisations.

Without Safe Harbor, US companies will have to be up-to-speed on the individual data protection policies in individual European countries – particularly Germany, France and Switzerland, which have the most stringent rules – especially in the context of civil and criminal investigation and litigation. Taking Germany as an example – following the CJEU decision, if or when a US-based company needs to transfer data from Germany to the US, it will have to take into account state and federal data protection laws, engage with workers and potentially their counsel, review the data in Germany, and/or ask a US court or government entity to request the documents from Germany though official processes – such as a mutual legal assistance treaty (MLAT).

In France, US companies will have to consider blocking statutes – and in Switzerland the Swiss Blocking Statute and Bank Secrecy laws – before transferring data out of the country.  The UK’s Data Protection Act and Italy’s Data Protection Code also make data transfers difficult and need to be adhered to on a case-by-case basis. Once the new EU legislation is in place, the EU Council and EU Parliament will be able to enforce potentially crippling fines. It is therefore vital for companies to conduct self-assessments and ensure compliance with interim data protection legislation with individual EU countries and, longer term, make sure that they have the procedures and infrastructure in place to comply with the forthcoming EU legislation.

With suggestions that the EU Council are making plans to allow fines to be imposed of up to €1 Million or 2% of global annual turnover, and for the EU Parliament to levy fines up to €100Million or 5% of global turnover, it is critical that companies act now and keep on the right side of Europe’s new data protection laws.  The abandonment of Safe Harbour and confusion around Privacy Shield while the mechanism is finalised only serves to demonstrate the importance of long-term and consistent observance and monitoring of local data protection laws and policies for companies of all sizes.

But that’s not the only piece of legislation on the table. On 14th April, the EU Parliament also formally adopted the General Data Protection Regulation (GDPR). This is another, separate legislative step intended to modernise and overhaul the the EU’s many different data protection laws. The next step will be for the GDPR to be officially published, translated, and put to print in the Official Journal of the European Union, probably in June. Less than a month after that, the two-year countdown to the GDPR taking effect will commence.  As the GDPR reaches the end of this lengthily acceptance and adoption process, it’s worth remembering that it too will strengthen an EU citizen’s control over their personal data, giving new rights, such as the right to data portability and the right to be forgotten – and put a strain on any transatlantic data transfer agreements.

FRA’s position has always been to treat local data protection and transfer laws as a priority and first point of reference for any business wishing to store or transfer sensitive customer or employee data – but now it’s even more important. Ultimately, it is the national privacy regulators and European judges who are responsible for determining whether transfers could or should have been made (and whether they were done appropriately) not the US Department of Commerce or the Commission.

We can accelerate your compliance with GDPR and do so in a way that helps your security posture. For more see OODA LLC

More reporting:

Sometimes We Love The EU and Their Regulations: Tech Firms Face Prospect of Fines in Europe Over Terror Propaganda

If You Could Pick One Thing For Congress To Do Regarding CyberSecurity, What Would It Be?

What The Board Needs To Know About the GDPR

 

International Sanctions and Embargoes Legislation: Changing Trends, Deferred Prosecutions & Landmark Cases

The global increase in economic sanctions-related enforcement has put many companies in deeply challenging positions and some of the most recent cases captured the attention of compliance and legal officers worldwide. One of the more significant enforcement actions, albeit relatively low in monetary value, was the personal $1 million fine against the former Chief Compliance Officer of MoneyGram International Inc. In 2014 – the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) argued that the CCO was at fault for not ensuring that MoneyGram followed anti-money laundering laws, which resulted in significant money laundering activity.

Global trends indicate that penalties, fines and other enforcement mechanisms are increasingly draconian. Furthermore when combined with internal and external legal and advisory costs, as well as other costs stemming from Deferred Prosecution Agreements (such as independently appointed compliance monitors), the aggregate cost increases even more. In one such example, the 2014 BNP Paribas S.A. (BNPP) case included a total monetary penalty of $8.97 billion due to violations of US sanctions – which included processing over $30 billion dollars through the US financial system on behalf of Iranian, Sudanese and Cuban entities.

Another case of significant importance was the HSBC Holdings PLC and HSBC Bank USA (together – HSBC) in 2012.  The enforcement action included a record number of government agencies, and yielded the highest settlement to date – $1.9 billion. The matter of the case was widespread and included violations of sanctions as well as AML laws. This  resulted in $1.256 billion forfeiture and numerous civil penalties totalling $665 million.

It is also important to understand the significance of the Standard Chartered (SC) cases of 2012 and 2014. In 2012, SC settled with the NYDFS for sanctions violations by processing transactions on behalf of entities under US sanctions. The settlement included a $340 million penalty, as well as a deferred prosecution agreement which imposed external compliance monitors. However, unlike most monitorships, the NYDFS mandate in this case included specific investigative requirements. As a result, SC was found by the monitor to have violated AML compliance issues and NYDFS imposed an additional $300 million penalty in 2014. Further, initial enforcement action in late 2012 was taken against SC by the US DoJ which resulted in a DPA and a $227 million forfeiture. The significance of this case lies in the fact that NYDFS acted first and alone, while other regulators were still considering the case.

Another significant development has been the cooperative enforcement efforts between multiple regulators and prosecutors. This is particularly noteworthy as these violations are frequently by their very nature cross border. Increasingly, more agencies and more divisions of agencies get involved in enforcement actions by attempting to establish liability for double or even triple violations – for example, AML and sanctions or sanctions and the Foreign Corrupt Practices Act or Bribery Act violations. This trend is proving itself to be an easy enforcement option, for example, when a financial institution carries out transactions that are covered by the sanctions, those institutions take steps to hide and/or legitimise such transactions.

The same holds true for sanctions and FCPA – if a bribe is paid by an organisation that is within the FCPA jurisdiction to an official of a government that is under sanctions, the organisation improperly records the payment and therefore violates the books and records provision of the FCPA. Such double-violations in turn attract more enforcement agencies – as seen in the HSBC case, it involved a record number of government agencies. This is a particularly significant development because it also increases the costs of non-compliance.

The cost of non-compliance is growing steadily as regulatory enforcers are imposing increasingly higher fines and penalties. The follow-on legal costs, DPA limitations and reputational damage can often be several times more damaging than the initial fines and penalties. Individual prosecutions are also on the increase. It is therefore crucial for global companies to implement targeted compliance programs – including risk management strategies, training, monitoring structures and procedures, top-down culture, whistleblowing lines and trained personnel.

In conclusion, global regulatory enforcement is continuously growing and becoming much more rigorous – and, therefore, so should the investment in companies’ compliance efforts. However, it is vital to remember that one size does not fit all – measures have to be tailored to the risks of the company. And that’s not anywhere as simple and straightforward as it might sound.

About Forensic Risk Alliance

Forensic Risk Alliance (FRA) is an international consultancy specialising in anti-corruption compliance testing, forensic accountancy, and supporting clients facing regulatory investigations and cross-border, multi- jurisdictional litigation. FRA provides multi-jurisdictional expertise in financial and electronic forensics to analyse and help companies manage risks in an increasingly regulated global business climate. www.forensicrisk.com

A Sea Change in Europe Leaves No Shelter in the Harbor

Editor’s note: we asked Toby Duthie and Lukas Bartusevicius of Forensic Risk Alliance to provide context on the dynamics underway in the European Union now that a court has  declared Safe Harbor invalid. Their context is below. – bg

Introduction

In a landmark decision on the 6th of October, the Court of Justice of the European Union (CJEU) invalidated the EU-US Safe Harbor agreement, addressing the onslaught of concern that the agreement failed to provide adequate protections for EU citizens’ private data located in, or transferred to, the United States.

The decision means that the most commonly used data transferring method between the EU and the US – allowing for over 4000 companies to store and process data in the US – is no longer an option. The impact for companies is very significant as the CJEU ruling requires for them to obtain each EU citizen’s explicit consent before moving their personal data to the US without the customers’ explicit consent – this includes such information as their name, email or home address, employee’s HR data and health-related information or any documents containing such details. In practical terms, this has implications across Europe for the way in which hospitals, for example, store patient data, businesses archive HR information, and subsidiaries share internal and external data with their US-based parent organisations.

European Data Movement Without Safe Harbor

Businesses from all sectors will, therefore, need to move quickly to ensure they comply with local country data protection and make significant changes to the way data is collected, where it is processed, hosted, searched and reviewed. This is an increasingly difficult challenge – the global digital economy increasingly makes demands on data to be fluid and to travel freely between geographies. This is particularly so as a result of recent mainstream adoption of cloud computing, managed software services and the growing importance of ‘big data’ analysis by multinational organisations. Many of these hosted service companies may not have offered EU-based data storage and processing options; routinely shipping data to the US and other territories outside the EU for backup, archiving and processing. Further, companies using third parties to store, back up or analyse their data need to conduct assessments whether the suppliers are up to speed on the changing legislation – as they can be held accountable for their third parties’ data privacy violations.

Without Safe Harbor in place, US companies will have to be up-to-speed on the individual data protection policies in individual European countries – particularly Germany, France and Switzerland, which have the most stringent rules – especially in the context of civil and criminal investigation and litigation. Taking Germany as an example – following the CJEU decision, if or when a US-based company needs to transfer data from Germany to the US, it will have to take into account state and federal data protection laws, engage with workers and potentially their counsel, review the data in Germany, and/or ask a US court or government entity to request the documents from Germany though official processes – such as a mutual legal assistance treaty (MLAT). In France, US companies will have to consider blocking statutes – and in Switzerland the Swiss Blocking Statute and Bank Secrecy laws – before transferring data out of the country. The UK’s Data Protection Act and Italy’s Data Protection Code also make data transfers difficult and need to be adhered to on a case-by-case basis.

Implications for Cross Border eDiscovery Post-Safe Harbor

In a world without Safe Harbor, companies also need to be particularly careful when data transfer is required as part a criminal investigation, particularly if it is an eDiscovery request pertaining to a US fraud or bribery investigation. If they have not already done so, businesses will need to undertake thorough reassessments of their eDiscovery practices and consider how the data relating to the investigation is collected and where it is processed, hosted, searched and reviewed. This could cover anything from emails, documents, presentations, databases, voicemail, audio and video files, through to social media and websites.

Even when Safe Harbor was in place, FRA has always recommend that all the data collection, hosting, review and analysis needed for an eDiscovery request is performed within the relevant country using tools that allow local review and segregation of data. Now, however, it is absolutely essential.

Assuming eDiscovery is outsourced, vendor due diligence is more important than ever. Only a handful of vendors can deploy robust in-country solutions. Historically, most have shipped data to larger processing centres in the UK and the US. An experienced vendor who can work with the legal team to develop an appropriate strategy and manage data transfer risks from the outset is vital.

Conclusion

Once the new EU legislation is in place, the EU Council and EU Parliament will be able to enforce potentially crippling fines. It is therefore vital for companies to conduct self-assessments and ensure compliance with interim data protection legislation with individual EU countries and, longer term, make sure that they have the procedures and infrastructure in place to comply with the forthcoming EU legislation. With suggestions that the EU Council are making plans to allow fines to be imposed of up to €1 Million or 2% of global annual turnover, and for the EU Parliament to levy fines up to €100Million or 5% of global turnover, it is critical that companies act now and keep on the right side of Europe’s new data protection laws.

More Content

Cyber War

Optimizing Corporate Intelligence with OODA Loop

This post is part of our Intelligent Enterprise series, which providing insights aimed at corporate strategists seeking competitive advantage through better and more accurate decision-making. The first post provided foundational insights into A Practitioner’s View of Corporate Intelligence. This one dives into actionable recommendation on ways to optimize a corporate intelligence effort. It is based on a career serving large scale analytical efforts in the US Intelligence Community and in applying principles of intelligence in corporate America.

SciFi

Science Fiction Gadgets You Can Get Today

Technology is advancing pretty fast, at times influenced by the exciting world of Science Fiction. This video captures 10 of the tech developments first seen in SciFi that are available now. A key point of this, if you want to know what is in our future, watch more SciFi!  

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]